Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Check out all of our small business content on Small business help & learning.
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that mandates how an organization should handle personal data. If your business sells to, provides services to, or employs citizens of the European Union, then the GDPR affects you.
As a small business admin, you're probably asking yourself "how do I get started?" This question might be especially true if your business doesn't handle personal data as a core business activity, or if GDPR is new to you.
You can get started by reviewing this article. This article aims to help you understand the GDPR, why it came about, and how Microsoft 365 for business can help your organization comply with the GDPR.
It also includes answers to common questions about GDPR that small businesses might have, and highlights steps a small business can take to prepare for GDPR.
Important
The Microsoft 365 solutions and recommendations in this article are tools and resources that can help you manage and protect your data, but aren't a guarantee of GDPR compliance. It's up to you to assess your own compliance status. Consult with your own legal and/or professional advisors when needed.
A quick overview of the GDPR
The GDPR is an EU regulation that updates and expands the earlier Data Protection Directive (DPD) first enacted in 1995. The GDPR is concerned with the privacy of an individual's data, be that individual a client, customer, employee, or business partner. The GDPR's goal is to strengthen personal data protection for EU citizens, whether they reside in the EU or elsewhere. The regulation sets out expectations and advises on how to achieve them. Organizations must have measures in place that satisfy the requirements of the GDPR.
The GDPR is all about data and how data is used. Think of data as having a life cycle. The cycle starts when you collect data, continues as you store it and use it (processing), and ends when you completely delete it from your systems.
The GDPR is concerned with the following types of data:
Personal data: If you can link data to an individual and identify them, then that data is considered personal with respect to the GDPR. Examples of personal data include name, address, date of birth, and IP address. The GDPR considers even encoded information (also known as "pseudonymous" information) to be personal data. If the encoded data can be linked to an individual, the data is considered personal, regardless of how obscure or technical the data is.
Sensitive personal data: This data adds more details to personal data. Examples include religion, trade union membership, ethnic origin, and so on. Sensitive personal data also includes biometric data and DNA. Under GDPR, sensitive data has more stringent protection rules than personal data.
GDPR terms
Specific terms are referred to frequently in the GDPR. It's important to understand these terms.
Consent:
The GDPR states: "The processing of personal data should be designed to serve mankind." The GDPR hopes to achieve this goal by using consent when processing personal data. That consent could be the act of asking customers if they want to receive email messages from your company. It also means no more opt-out check boxes on your website when you want to use data for marketing. You must take explicit consent using a "clear affirmative act." And, you need to keep records when consent is taken or revoked.
Data subject rights:
The GDPR establishes data subject rights. With respect to their personal data, customers, employees, business partners, clients, contractors, students, suppliers, and so forth, have the right to:
Be informed about their data: You must inform individuals about your use of their data.
Have access to their data: You must give individuals access to any of their data that you hold (for example, by using account access or in some manual manner).
Ask for data rectification: Individuals can ask you to correct inaccurate data.
Ask for data to be deleted: Also known as the right to erasure, this right allows an individual to request the deletion of any personal data collected by the company across all systems that use it or share it.
Request restricted processing: An individual can ask that you suppress or restrict their data. However, it's only applicable under certain circumstances.
Have data portability: An individual can ask for their data to be transferred to another company.
Object: An individual can object to their data being used for various uses including direct marketing.
Ask not to be subject to automated decision-making, including profiling: The GDPR has strict rules about using data to profile people and automate decisions based on that profiling.
Steps to prepare for GDPR
This section describes steps a small business can take to help it get ready for GDPR. Much of the information for these steps was provided through Seven steps for businesses to get ready for the General Data Protection Regulation, a publication provided through the Publications Office of the European Union.
A good way for a small business to get started with GDPR is to make sure to apply the following key principles when collecting personal data:
- Collect personal data with clearly defined purposes for what you are using it for, and don't use them for anything else. For example, if you tell your clients to give you their email addresses so they can get your new offers or promotions, you can only use their email addresses for only that specific purpose.
- Don't collect more data than you need. For example, if your business requires a mailing address for you to deliver goods, you need a customer's address and a name, but you don't need to know the person's marital status.
Step 1: Know the personal data you collect and use within your business, and the reasons you need it
As a small business, one of your first steps should be the inventory of personal data you collect and use within your business. You should also determine why that personal is required. This action includes data on both employees and your customers.
For example, you might need employee personal data based on the employment contract and for legal reasons (for example, reporting taxes to the Internal Revenue Service).
As another example, you might manage lists of individual customers to send them notices about special offers, if they consented to receive these notices.
Microsoft 365 features that can help in Step 1
Microsoft Purview Information Protection can help you discover, classify, and protect sensitive information in your company. You can use trainable classifiers to help you identify and label document types that contain personal data.
Step 2: Inform your customers, employees, and other individuals when you need to collect their personal data
Individuals must know that you process their personal data and for which purpose. For example, if a customer needs to create a customer profile to access your business's online site, make sure you state specifically what you intend to do with their information.
But there's no need to inform individuals when they already know how you plan to use the data. For example, when they provide a home address for a delivery.
You also have to be able to inform individuals on request about the personal data you hold on them and give them access to their data. Being organized with your data makes it easier to provide to them, if needed.
Step 3: Keep personal data for only as long as necessary
For employees data, keep it as long as the employment relationship remains and for related legal obligations. For customer data, keep it as long as the customer relationship lasts and for related legal obligations (for example, tax purposes). Delete the data when it's no longer needed for the purposes for which you collected it.
Microsoft 365 features that can help in Step 3
Retention policies and labels can be used to help you keep personal data for a certain time and delete it when it's no longer needed.
Step 4: Secure the personal data you're processing
If you store personal data on an IT system, limit access to the files containing the data. For example, by using a strong password. Regularly update the security settings of your system.
Note
The GDPR doesn't prescribe the use of any specific IT system, but make that the system has the appropriate level of security. See GDPR Article 32: Security of Processing for more information.
If you store physical documents with personal data, make sure the documents aren't accessible by unauthorized persons.
If you choose to store personal data in Microsoft 365 you have access to the following security features:
- The ability to help you to manage permissions to files and folders.
- Centralized secure locations to save your files (OneDrive or SharePoint document libraries).
- Data encryption when sending or retrieving your files.
Microsoft 365 features that can help in Step 4
You can use Set up compliance features to help to protect your business's sensitive information. Compliance Manager can help you get started right away. For example, you can Create and Deploy data loss prevention policies that uses the GDPR template.
Step 5: Keep documentation on your data processing activities
Prepare a short document explaining what personal data you hold and for what reasons. You might be required to make the documentation available to your national data protection authority if needed.
Such documents should include the information listed in the following table.
| Information | Examples |
|---|---|
| The purpose of data processing | Alerting customers about special offers such as providing home delivery; paying suppliers; salary and social security coverage for employees |
| The types of personal data | Contact details of customers; contact details of suppliers; employee data |
| The categories of data subjects concerned | Employees; customers; suppliers |
| The categories of recipients | Labor authorities; tax authorities |
| The storage periods | Employees' personal data until the end of the employment contract (and related legal obligations); customers' personal data until the end of the client/contractual relationship |
| The technical and organizational security measures to protect the personal data | IT system solutions regularly updated; secured location; access control; data encryption; data backup |
| Whether personal data is transferred to recipients outside the EU | Use of a processor outside the EU (for example, storage in the cloud); data location of the processor; contractual commitments |
You can find Microsoft's contractual commitments regarding the GDPR in the Microsoft Online Services Data Protection Addendum. This file provides Microsoft's privacy and security commitments, data processing terms, and GDPR Terms for Microsoft-hosted services to which customers subscribe under a volume licensing agreement.
Step 6: Make sure your subcontractors respect the rules
If you sub-contract processing of personal data to another company, only use a service provider who guarantees the processing in compliance with the requirements of the GDPR (for instance, security measures).
Step 7: Assign someone to oversee personal data protection
To better protect personal data, organizations might have to appoint a Data Protection Officer (DPO). However, you might not need to designate a Data Protection Officer in either of the following scenarios:
- If processing of personal data isn't a core part of your business.
- You're a small business.
For example, if your business collects customer data only for home delivery, you shouldn't need to appoint a DPO.
Even if you need to make use of a DPO, you might not need a dedicated DPO. For example, you might assign this job to existing employee. Or you could choose to hire an external consultant for this duty as needed.
You normally don't need to carry out a Data Protection Impact Assessment. This requirement is reserved for businesses that pose more risk to personal data. For example, if they do a large-scale monitoring of a publicly accessible area, such as video-surveillance.
If you're a small business managing employee wages and a list of clients, you typically don't need to do a Data Protection Impact Assessment.
Common small business questions about the GDPR
I'm a sole proprietor - do I really have to worry about the GDPR?
The GDPR is about the data you process, not the number of employees you have. It affects companies of all sizes, even sole proprietors. However, companies with fewer than 250 employees do have some exemptions, such as reduced record keeping, but only if you're sure the data processing doesn't affect the individual's rights and is occasional processing.
As an example, processing of non-personal data would be exempt or need reduced measures. However, if you process any data that is seen as "special category sensitive data," even if it only occasionally, you need to record this data processing. The definition of "occasional processing" is vague, but it means to apply to data that is used once or rarely.
You should also make sure that personal data that you collect is protected. Protection means you need to encrypt the data and make sure that access to the data is controlled using at least a password. Keeping your customer data on a spreadsheet on your desktop with no protection doesn't meet GDPR expectations.
How can I tell if our company website is GDPR compliant?
The first question to ask yourself is: Do you collect personal data anywhere on your site? For example, you might have a contact form that asks for a name and email address. If you want to send marketing emails, make sure you add an 'opt-in' checkbox that explains exactly what you plan to use the data for. Only if the recipient checks that box can you use their personal data for marketing purposes.
Also, check that the database used to store the data is protected. Your web hosting company or cloud storage vendor can answer this question. If you use Microsoft 365 for business, storage of data is GDPR-compliant.
My company is outside Europe. Does the GDPR really affect us?
The GDPR is a regulation that protects EU citizens. If your company currently or potentially deals with EU citizens, you're affected. This requirement applies to both citizens living in an EU State or living elsewhere.
Consider the following examples:
A U.S. company that hires cars to EU citizens needs to satisfy GDPR requirements when they collect and process the customer's data. The company is required to take consent when they take the customer's data and ensure that the data is stored securely. They also need to make sure the customer can apply all of their data subject rights.
An Australian company sells products online, and its users set up online accounts. GDPR data subject rights and consent are applied to EU citizens who open an account. The company needs to make sure the customer can apply all of their data subject rights.
An international charity collects data about donors and uses it to send out updates and requests for donations. The GDPR states: '...the processing of personal data for direct marketing purposes might be regarded as carried out for a legitimate interest." However, the responsibility is on the organization to prove their interests override the interests of the data subject. The company (or in this case, the charitable organization) should always get informed, explicit, opt-in consent.
The GDPR also applies if customer data moves across borders. If you use cloud computing for data storage, you need to make sure the service is fully GDPR-compliant. It can get complicated if data storage is in locations that have a poor record of data protection. If you use Microsoft 365 for business, we have the correct legal documentation in place to cover GDPR requirements.
Sure, I collect data, but some other company stores it. Does that get me off the hook?
Under the GDPR, if you collect data you're affected to some extent. The GDPR has the concept of a data processor and a data controller:
Data Controller: An individual or organization (you can have joint controllers) that decides how, what, and why data is collected. They might store it using another company's cloud servers. For example, a website that collects customer data is a controller.
Data Processor: An individual or organization that stores data on behalf of the controllers and processes these data upon request. For example, Microsoft 365 Apps for business data storage acts as a processor and is fully GDPR compliant.
An organization or system can act as both a controller and a processor. Microsoft 365 for business can act as both and complies with the GDPR.
Can I still send out marketing emails to my old customers?
You need to make sure your customers, even long-time customers, consented to use their data for marketing. You might have previously captured consent with a record to show it. If so, you're all set to continue marketing. If not, you need to get permission from the customer to continue marketing to them. This permission usually involves sending an email asking customers to go to your site and select an option to consent to receive future emails.
Do I have to worry about the GDPR when I recruit new employees? What about current employees?
The GDPR doesn't just affect customer data; it extends to employee data, too. New recruits are often located using social media platforms such as LinkedIn. Make sure that you don't store any potential recruit data without their express permission.
As for existing employees and new employee contracts, a signature at the end of a contract doesn't necessarily assume consent, especially when a non-affirmative clause is used in a contract. In this case, you must capture consent in an explicit manner associated with the clause. What this means depends on your employee contract. You can use "legitimate interest" in some cases and add an employee data processing notice to make sure employees are aware of what you plan to do with their data.
Satisfy privacy concerns using Microsoft 365 for business
Becoming compliant with the GDPR is about making sure that personal data is protected. The GDPR has a concept known as Privacy by Design and Default. This means that data protection should be "baked in" to a system and a product so that satisfying privacy concerns is second nature.
Like their larger counterparts, a small business needs convenience without sacrificing security. Microsoft 365 for business is designed for companies of fewer than 300 employees. Small companies can use Microsoft cloud-based tools to improve business productivity. With Microsoft 365 for business, a small business can manage emails, documentation, and even meetings and events. It also has built-in security measures and device management, which are vital for GDPR compliance.
Microsoft 365 for business can help you with the GDPR process in the following ways:
Discover: An important step to GDPR compliance is knowing what data you have.
Manage: Controlling access to data and managing its use is an integral part of GDPR. Microsoft 365 for business protects business data based on policies you want to apply to devices. Device management is vital in an age where employees work remotely. Microsoft 365 for business includes device management features that make sure data is protected across all devices. For example, you can specify that all Windows 10 devices in your business are protected via Windows Defender.
Protect: Microsoft 365 for business is designed for security. Its device management and data protection controls work across your business network, including remote devices, to help keep data secure. Microsoft 365 for business offers controls such as privacy settings in Microsoft 365 productivity apps and encryption of documents. With Microsoft 365 for business, you can perform GDPR compliance monitoring to make sure you have the right level of protection set.
Report: The GDPR places a lot of emphasis on reporting. Even a business with a single employee, if that business processes large amounts of data, is required to document and report on their procedures. Microsoft 365 for business takes the headache out of reporting requirements for smaller organizations.
Tools such as audit logs allow you to track and report on data movement. Reports include classifying the data you collect and store, what you do with the data, and transfers of the data.
Customers, employees, and clients are becoming more aware of the importance of data privacy and now expect a company or organization to respect that privacy. Microsoft 365 for business provides you with the tools to achieve and maintain GDPR compliance without a massive upheaval to your business.
Next steps
To get ready for the GDPR, here are some suggestions for next steps to take:
Evaluate your GDPR program with Accountability Readiness Checklists.
Investigate Microsoft 365 for business as a solution for achieving and maintaining compliance with GDPR.
Important
Get legal advice appropriate for your company or organization.
More resources
Microsoft Trust Center overview of the GDPR
The Official Microsoft Blog: Microsoft commitment to GDPR
European Commission sites: